Platform: Code4rena
Start Date: 24/02/2022
Pot Size: $170,000 UST
Total HM: 15
Participants: 16
Period: 14 days
Judge: Albert Chon
Total Solo HM: 11
Id: 82
League: COSMOS
Rank: 11/16
Findings: 1
Award: $994.44
🌟 Selected for report: 0
🚀 Solo Findings: 0
Within execute_unbond() If threshold and other variables are not checked (non-zero value), it will lead to loss of value
Ensure that the threshold is set to greater than zero as in the event that the exchange rate is in the lower bound, it will not be checked properly as it will always be higher than the threshold(if this value is zero) . Also, recovery_fee should be non-zero as well since it is used to calculate max_fee(output will be zero). This will have an impact on amount_with_fee as the user will not be charged with any fee since peg_fee will always return 0(since max_fee will indefinitely be returned as the minimum of the two values) on line 46..
This is also the case for current_batch.requested_with_fee.
In the call to state.update_exchange_rate(), a higher exchange rate will be returned since it's only using the amount without adding the fee. See:
store_unbond_history() will include the flawed values
This is also the case for :
(https://github.com/code-423n4/2022-02-anchor/blob/7af353e3234837979a19ddc8093dc9ad3c63ab6b/contracts/anchor-bAsset-contracts/contracts/anchor_basset_hub/src/bond.rs#L61) get_finished_amount() will return a higher withdrawable amount.
Fix:
If recovery_fee & & threshold ==Decimal::zero() & & current_batch.requested_with_fee ==Uint128::zero{
return Err(Std::generic_err( “”)) ;
}